<p>A <code>@RequestMapping</code> method handles all matching requests by default. That means that a method you intended only to be
<code>POST</code>-ed to could also be called by a <code>GET</code>, thereby allowing hackers to call the method inappropriately. For example a
"transferFunds" method might be invoked like so: <code>&lt;img
src="http://bank.com/actions/transferFunds?reciepientRouting=000000&amp;receipientAccount=11111111&amp;amount=200.00" width="1"
height="1"/&gt;</code></p>
<p>For that reason, you should always explicitly list the single HTTP method with which you expect your <code>@RequestMapping</code> Java method to be
called. This rule raises an issue when <code>method</code> is missing and when the <code>method</code> parameter is configured with more than one
verb. Mixing GET and POST verbs can lead to information leakage. It's easier to setup Spring Security’s CSRF protection when there is only one verb
per <code>@RequestMapping</code>.</p>
<h2>Noncompliant Code Example</h2>
<pre>
@RequestMapping("/greet")  // Noncompliant
public String greet(String greetee) {
}

@RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.POST}) // Noncompliant
String delete(@RequestParam("id") String id) {
  return "Hello from delete";
}
</pre>
<h2>Compliant Solution</h2>
<pre>
  @RequestMapping("/greet", method = GET)
  public String greet(String greetee) {
  }

  @RequestMapping(path = "/delete", method = RequestMethod.GET)
  String delete(@RequestParam("id") String id) {
   return "Hello from delete";
  }
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
  Misconfiguration </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/352.html">MITRE, CWE-352</a> - Cross-Site Request Forgery (CSRF) </li>
  <li> <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29">OWASP: Cross-Site Request Forgery</a> </li>
  <li> <a href="https://www.sans.org/top25-software-errors/#cat1">SANS Top 25</a> - Insecure Interaction Between Components </li>
  <li> <a href="https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html#csrf-use-proper-verbs">Spring Security Official
  Documentation: Use proper HTTP verbs (CSRF protection)</a> </li>
</ul>

